Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   New Mirai botnet infect TBK DVR devices via command injection flaw (http://txgate.io:443/showthread.php?t=51301124)

Artifact 06-08-2025 07:23 PM
<div id="post_message_796256">

A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.<br/>
<br/>
The flaw, tracked under <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3721" target="_blank">CVE-2024-3721</a>, is a command injection vulnerability disclosed by security researcher "<a href="https://github.com/netsecfish/tbk_dvr_command_injection" target="_blank">netsecfish</a>" in April 2024.<br/>
<br/>
The proof-of-concept (PoC) the researcher published at the time came in the form of a specially crafted POST request to a vulnerable endpoint, achieving shell command execution through the manipulation of certain parameters (mdb and mdc).<br/>
<br/>
Kaspersky <a href="https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/" target="_blank">now reports</a> having caught active exploitation of CVE-2024-3721 in its Linux honeypots from a new Mirai botnet variant using netsecfish's PoC.<br/>
<br/>
The attackers leverage the exploit to drop an ARM32 malware binary, which establishes communication with the command and control (C2) server to enlist the device to the botnet swarm. From there, the device is likely used to conduct distributed denial of service (DDoS) attacks, proxy malicious traffic, and other behavior.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/env-checks.png"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Mirai's environment checks. Source: Kaspersky

</td>
</tr>
</table>
</div><b><font size="4"><font color="White">Attack impact and fixes</font></font></b><br/>
<br/>
Although netsecfish reported last year that there were approximately 114,000 internet-exposed DVRs vulnerable to CVE-2024-3721, Kaspersky's scans show approximately 50,000 exposed devices, which is still significant.<br/>
<br/>
Most infections the Russian cybersecurity firm sees as being associated with the latest Mirai variant impact China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. However, this is based on Kaspersky's telemetry, and as its consumer security products are<a href="https://www.bleepingcomputer.com/news/security/biden-bans-kaspersky-antivirus-software-in-us-over-security-concerns/" target="_blank"> banned in many countries</a>, this may not accurately reflect the botnet's targeting focus.<br/>
<br/>
Currently, it is unclear if the vendor, TBK Vision, has released security updates to address the CVE-2024-3721 flaw or if it remains unpatched. BleepingComputer contacted TBK to ask about this, but we are still waiting for their response.<br/>
<br/>
It's worth noting that DVR-4104 and DVR-4216 have been <a href="https://www.bleepingcomputer.com/news/security/hackers-exploit-5-year-old-unpatched-flaw-in-tbk-dvr-devices/" target="_blank">extensively re-branded</a> under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands, so the availability of patches for impacted devices is a complex matter.<br/>
<br/>
The researcher who disclosed the TBK Vision flaw discovered other flaws that fueled exploitation against end-of-life devices last year.<br/>
<br/>
Specifically, netsecfish has disclosed a <a href="https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/" target="_blank">backdoor account issue</a> and a <a href="https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/" target="_blank">command injection vulnerability</a> impacting tens of thousands of EoL D-Link devices in 2024.<br/>
<br/>
Active exploitation<a href="https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-92-000-d-link-nas-devices-now-exploited-in-attacks/" target="_blank"> was detected</a> in <a href="https://www.bleepingcomputer.com/news/security/critical-bug-in-eol-d-link-nas-devices-now-exploited-in-attacks/" target="_blank">both cases</a> only a few days after the PoC's disclosure. This shows how quickly malware authors incorporate public exploits into their arsenal.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/new-mirai-botnet-infect-tbk-dvr-devices-via-command-injection-flaw/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 08:26 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.